The SCIT research project at George Mason University aims to create a secure server cluster framework that encompasses the following elements.
This research has been supported by US Army's Telemedicine and Technology Research Center, the NIST funded Critical Infrastructure Protection Program, SUN Microsystems, Lockheed Martin, Commonwealth of Virginia CTRF fund (project partner Northrop Grumman).
(Excerpts from the Cluster-Sec06 paper)
It is widely accepted that increasing the level of redundancy in a system generally improves service availability and system dependability. System security, on the other hand, is recognized as a critical subject on its own but has not often been associated with the issue of redundancy. This separation is evident when managers consider further investments in hardware. Hardware investments, such as acquiring more computing powers, typically aim to improve services, to handle anticipated increases in workload, or to better assure service survivability at times of server failures they are not expected to automatically strengthen the security of the system. As visualized in Figure 1, the goal of this work is to establish the connection between cluster security and hardware redundancy in the form of spare computing powers and in the context of intrusion tolerance.
Fig.1: Relationship between additional computing power with service availability and system security in the context of SCIT
The difficulty in securing computer systems stems in large part from the increasing complexity of the systems today and the constant innovation and morphing of attack techniques. Despite intense research on computer and network security, critical information processing systems remain vulnerable to attacks [1]. We believe that the trend warrants a new thinking in computer security: there will always be attacks that are sophisticated and stealthy enough to penetrate even the best security measures and evade the most advanced intrusion detection systems. It follows that a critical system must support intrusion prevention, detection, and /tolerance/, the last of which fends off, limits, or at least slows down the damages caused by successful but undetected attacks.
Our response to the intrusion tolerance problem is /Self-Cleansing Intrusion Tolerance/, or SCIT. The underlying assumption of SCIT is that a server that has been performing services online and as a result exposed to attacks must be assumed compromised. Consequently, an online server must be periodically cleansed to restore it to a known clean state, regardless of whether an /intrusion is detected or not/. While this paranoid attitude may be overkill for an average server, it is perfectly appropriate for critical, infrastructural servers or those whose breaches result in high pecuniary losses or even the compromises to national security. For a server of such consequences, it is common practice to use a dedicated hot standby, ready to take over the online tasks when the primary fails. In our approach to security we have specialized SCIT solution to each class of servers. In a series of papers we have presented our designs of SCIT-enabled firewalls, web servers, and DNS servers. The robustness and effectiveness of the SCIT framework against cyber attacks have also been investigated.
The effectiveness of SCIT depends on constant server rotations to limit the windows for which an intruder can stay in the system. The longer this /Intruder Residence Time/ the greater the damage and loss. We anticipate that the loss curve will be an S-curve of the form in Figure 2. If the Intruder Residence Time is less than the low loss threshold, then the cost of the intrusion is low, while an Intruder Residence Time greater than the high loss threshold will lead to near max loss. The low loss threshold reflects the fact that it takes a certain time for an intruder to probe system configurations, issue malicious commands, establish backdoors, install Trojan horse programs and so on in order to gain a foothold in the target system. The steep slope between the two thresholds indicates that the intruder is the middle of achieving the ?end goals,? such as stealing sensitive information, rendering the service unavailable and/or tampering with important data.
Fig. 2: Loss curve: Loss in dollars vs. Intruder Residence Time
Although there is no hard data for building the loss curve in Figure 2, there are reports that can help the process of building such a curve. For example, in [2] it is reported that in the context of on-line banking, security experts believe that a theft of $5,000 to $10,000 can be carried out over a few weeks, while larger losses up to $1 million are likely to take four to six months.
It is emphasized that SCIT is not a substitute for the conventional defense systems against intrusion. Hardening system security raises the low-loss threshold by making it more difficult for the enemy to obtain a foothold. In the meantime, frequent server rotations reduce /Server Exposure Times/, the time window in which a server stays online and is inevitably exposed to attacks. A successful, undetected breach is /contained/ if the server exposure time is shorter than the low loss threshold, that is to say, if the compromised server is rotated offline before the breach causes significant damage.
The hardening of system security has been the subject of innumerable studies. In SCIT we provide another layer of security by reducing the attack window. Server Exposure Times can be reduced by employing more computing power to speed up server rotations. Overall our objective is to explore new metrics for security and our challenge is to analytically provide guarantees such as:
Minimum Service Guarantee With arbitrary server failures the cluster maintains predefined minimum service availability as long as the cluster still has a required number of (functioning) servers. We notice that many fault tolerance designs provide similar features.
Server Rotation Guarantee Server rotations, the primary security defense of SCIT, continue with arbitrary server failures as long as the cluster has one server more than the required number of servers to meet the minimum service requirement.
Moreover, while it is well understood that increasing server redundancy improves fault tolerance, its effectiveness in closing attack windows will be investigated through a simulation study. Results of this study show that attack windows are less than 5 minutes using the same level of redundancy as the primary-and-backup setup. Much shorter windows can be achieved by adding more computing power, either in the form of more powerful processors in individual servers to speed up self cleansing or in the form of more spare servers in the cluster to speed up server rotations.
[1] President's Information Technology Advisory Committee (PITAC), Cyber Security: A Crisis of Prioritization, February 2005. available at http://www.nitrd.gov.
[2] Sandeep Junnarkar, ?Anatomy of a hacking?, available at http://news.com.com/2009-1017-893228.html, May 2002.
We have recorded a real time video demonstrating the operations of two SCIT web servers. First one is a Simple web server - a static info only website. Second one is Persistent Session web server - we use a shopping cart to demonstrate the operations. In addition we show how SCIT servers recover from two attacks - website defacement attack and software deletion attack. For best quality, download the full 15MB video http://cs.gmu.edu/~asood/scit/SCIT-Demo_0003.wmv
Demo video is also posted on You Tube - image quality is not as good as above. Click here to access the You Tube posting, or go to http://www.youtube.com/watch?v=gIN6JWInuv8
Video is available for download in .mov and .wmv formats and can be viewed in streaming video mode.
The demo in Quick Time compatible format (mov) is 97 MB and can be downloaded from http://cs.gmu.edu/~asood/scit/SCIT-ECommerce-Demo.mov
ECommerce SCIT demo video in wmv format is about 280 MB and can be downloaded from http://cs.gmu.edu/~asood/scit/SCIT-ECommerce-Demo.wmv
To stream the demo video go to href=http://vimeo.com/8811055 password is scit
Pending
Ajay Nagarajan
Anantha Bangalore
David Arsenault
Yih Huang
Danny Han
David Pham
© 2002-2008 All Rights Reserved